Pierluigi Paganini August 30, 2017

An archive containing more than 630 million email addresses used by the spambot server dubbed ‘Onliner Spambot’  has been published online.

The Onliner Spambot dump is the biggest one of its kind, it was discovered by the security researcher who goes online with the handle Benkow.

The database was hosted on an “open and accessible” server in Netherlands containing a vast amount of email addresses, along with millions of SMTP credentials from around the world.

The popular researcher Troy Hunt has verified the archive and added the leaked email addresses to his breach notification site Haveibeenpwned.com.

Processing the largest list of data ever seen in @haveibeenpwned courtesy of a nasty spambot. I'm in there, you probably are too.

— Troy Hunt (@troyhunt) August 28, 2017

Interesting feedback: someone found fabricated addresses in the 711m I loaded today AND were getting spam to them https://t.co/yzn29y5q5E

— Troy Hunt (@troyhunt) August 30, 2017

The Onliner Spambot served has been used by crooks to send out spam messages and spread the Ursnif banking trojan since at least 2016.

The Ursnif Trojan was spread via spam emails that contain malicious attachments that are used to download and execute the malware.

“Indeed, to send spam, the attacker needs a huge list of SMTP credentials. To do so, there are only two options: create it or buy it. And it’s the same as for the IPs: the more SMTP servers he can find, the more he can distribute the campaign.” wrote Benkow.

“I will take as an example the Onliner spambot. This spambot is used since at least 2016 to spread a banking trojan called Ursnif. I have seen this spambot targeting specific countries like Italy, or specific business like Hotels.”

The expert discovered a list of roughly 80 million valid SMTP credentials, that were used to send out the spam messages via internet provider’s mail servers. In this way crooks made their email appear as legitimate and bypass anti-spam systems.

It is impossible to be sure about the source of the data, data may have been collected from major data breaches (i.e. LinkedIn, MySpace and Dropbox) or collected by credentials stealer malware like Pony.

According to Benkow, at least 2 million email addresses were collected through a Facebook phishing campaign.

“It’s difficult to know where those lists of credentials came from. I have obviously seen a lot of public leaks (like Linkedin, Baidu or with every passwords in clear text) but credentials can also came from phishing campaigns, credentials stealer malwares like Pony, or they can also be found in a shop.” continues the expert. “Somebody even show me a spambot with a SQL injection scanner which scan Internet, looks for SQLi, retrieves SQL tables with names like “user” or “admin”.”

At the time of writing, there is no official data on the threat actor behin the Onliner Spambot.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Onliner Spambot, spam)

[adrotate banner=”12″]